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To  the  Members  of  the  Advisory  Budget  Commission 


Many  State  agencies  use  computers  extensively  in  the  accomplishment 
of  their  mission.     The  automation  of  their  systems  has  not  altered  the 
objectives  of  the  Department  of  State  Auditor,  but  it  has  called  for 
changes  in  our  methods.     In  responding  to  this  need  for  change,  we  have 
over  the  years  altered  our  audit  techniques,  and  recently  we  made  a  change 
in  our  organization.     We  have  established  a  team  of  auditors  who  will 
specialize  in  reviewing  the  controls  in  computer  systems  to  help  provide 
assurance  that  the  systems  are  producing  reliable  results.    Although  the 
work  of  this  team  will  be  primarily  an  adjunct  to  our  financial  audits, 
the  team  will  from  time  to  time  issue  their  own  audit  reports. 

This  is  one  of  two  reports  that  will  be  issued  as  a  result  of  the  EDP 
(Electronic  Data  Processing)  audit  of  the  internal  controls  present  within 
the  systems  development  and  data  processing  segments  of  the  Office  of  State 
Management  Systems.     A  second  report,  to  be  issued  within  a  few  weeks,  will 
present  our  findings  relative  to  the  internal  controls  present  within  the 
State's  central  payroll  system.     The  payroll  application  was  audited  con- 
currently with  the  audit  of  the  State  Computer  Center  and  the  Application 
Systems  Development  Section,  and  served  as  a  vehicle  for  the  audit  of  those 
sections  of  the  Office  of  State  Management  Systems. 

We  wish  to  express  our  appreciation  to  the  management  and  staff  of  the 
Office  of  State  Management  Systems  for  their  cordiality  and  cooperation 
during  this  audit. 


Respectfully  submitted, 


Henry-A.  Bridges 
State  Auditor 


September  21,  1979 
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INTRODUCTION 

Background  Information 

The  Office  of  State  Management  Systems  consists  of  three  major  sections: 
the  State  Computer  Center  (SCO  Section,  the  Application  System  Development 
Section  (ASDS),  and  the  Plans,  Coordination,  and  Training  Section. 

The  sec  section's  primary  functions  relate  to  the  operation 
of  the  State  Computer  Center,  a  large  data  processing  facility  which  serves 
many  State  agencies.     The  SCC  section  is  entirely  receipt  supported.  Agencies 
were  billed  $3,005,781  for  services  provided  by  the  SCC  in  fiscal  year  1979. 
The  State  Computer  Center  operates  24  hours  a  day,  five  days  per  week. 

The  Application  Systems  Development  Section  (ASDS)  provides  assistance 
in  planning  and  developing  automated  systems.     Agencies  with  no  systems 
development  staff  rely  entirely  on  the  ASDS  for  this  function.     Agencies  which 
employ  computer  programmers  and  systems  analysts  may  call  on  ASDS  for  assistance 
on  projects  which  require    specialized  expertise  not  available  in  a  small  staff. 
ASDS  bills  agencies  for  the  services  that  they  render.     In  fiscal  year  1979 
agencies  paid  $397,894  for  services  rendered  by  ASDS. 

The  Plans,  Coordination,  and  Training  Section  has  duties  of  a  State-wide 
nature  including  approving  agency  plans  for  data  processing,  providing  technical 
consultation,  and  operating  a  training  center  for  EDP  personnel.     This  section 
of  OSMS  was  not  a  topic  of  this  audit. 

Central  Payroll,  a  segment  of  the  State  Disbursing  Office,  is  responsible 
for  the  issuance  of  payroll  checks  to  over  60,000  State  employees  and  is  also 
responsible  for  the  issuance  of  all  Federal  and  State  reports  related  to  those 
payrolls.     Central  Payroll  relies  on  the  State  Computer  Center  for  processing 
the  payroll  data  and  on  the  Application  Systems  Development  Section  for 
systems  analysis  and  programming. 


Audit  Objectives  and  Scope 

The  objective  of  this  audit  was  to  determine  the  adequacy  of  internal 
controls  which  are  in  place  to  minimize  the  possibility  of  accidental 
errors,  unauthorized  access  to  data,  unauthorized  access  to  computer  programs, 
and  unauthorized  use  of  the  information  processing  facilities.     In  addition, 
we  reviewed  the  measures  which  have  been  taken  to  protect  the  facility  from 
destruction  by  fire,  flood,  explosion,  or  vandalism,  and  we  reviewed  the 
controls  which  are  in  place  to  minimize  the  effect  should  such  a  disaster 
occur . 

The  review  was  limited  to  the  State  Computer  Center,  the  Application 
Systems  Development  Section  and  the  Central  Payroll  Application.  Other 
State  computer  centers  and  other  applications  were  not  reviewed.  Recommen- 
dations related  specifically  to  the  payroll  application  are  to  be  presented 
in  a  separate  report. 

We  applied  the  control  standards  found  in  the  Institute  of  Internal 
Auditors'  publication,  Systems  Auditability  and  Control,  and  in  the  EDP 
Auditors  Foundations'  publication.  Control  Objectives.     Our  recommendations 
are  based  on  an  evaluation  of  the  existing  controls  compared  to  the  suggested 
control  standards  presented  in  these  publications.     Deviations  from  compliance 
with  the  standards  are  presented  only  for  instances  in  which  we  believe 
compliance  could  be  accomplished  by  practicable  and  cost-justifiable  means. 

EDP  Auditors  from  the  U.  S.  General  Accounting  Office  (GAO)  assisted  us 
in  certain  phases  of  the  audit  and  provided  us  with  consultation  when  needed 
throughout  the  audit.     The  individual  GAO  auditors  who  worked  with  us  concur 
with  the  findings  and  recommendations  presented  here,  but  their  concurrence 
does  not  constitute  an  official  GAO  position. 
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FINDINGS  AND  RECOMMENDATIONS  -  GENERAL 


It  should  be  understood  that  this  is  an  exception  report.     No  effort 
has  been  made  to  include  mention  of  the  many  positive  aspects  of  this 
operation;  only  those  areas  which  we  believe  are  in  need  of  improvement 
are  presented. 

For  the  convenience  of  the  Office  of  State  Management  Systems,  we  have 
segregated  our  remarks  by  the  two  OSMS  sections  which  are  involved:  the 
State  Computer  Center  and  the  Application    Systems  Development  Section. 
The  first  topic,  presented  below,  is  applicable  to  both  sections. 

Background  Investigations  of  Applicants  Are  Not  Being  Conducted 

Most  of  the  personnel  positions  in  the  State  Computer  Center  and  in 
the  Application  Systems  Development  section  are  sensitive  positions  because 
they  provide  incumbents  with  access  to  valuable  assets,  the  potential  to  cause 
costly  damage  to  the  State,  and/or  access  to  sensitive  or  critical  information. 
Nevertheless,  applicants  are  hired  after  little  screening  and  no  background 
investigation. 

The  Director  of  the  OSMS  told  us  that  he  stopped  screening  applicants  a 
few  years  ago  because  of  uncertainty  over  the  limitations  imposed  by  Federal 
laws  concerning  discrimination  and  privacy.     Managers  of  other  data  processing 
facilities  in  State  government  told  us  the  same  thing.     However,   through  dis- 
cussions with  persons  from  the  Office  of  State  Personnel  and  the  Justice 
Department,  we  have  learned  that  there  are  no  significant  limitations  on 
conducting  background  investigations. 

Recommendation 

Because  of  the  State  government-wide  nature  of  this  problem, 
we  have  presented  it  to  the  Office  of  State  Personnel  with  the 
recommendation  that  they  provide  guidance  to  the  agencies  in 
1)   identifying  "sensitive"  positions,   2)  clarifying  the  limitations 
of  the  Federal  laws,  3)  providing  procedures  for  screening  and 
performing  background  investigations  of  applicants. 


FINDINGS  AND  RECOMMENDATIONS  -  STATE  COMPUTER  CENTER 


Physical  Security  Should  Be  Strengthened 

The  physical  security  of  the  SCC  has  been  significantly  improved  in 
recent  months  by  the  reduction  in  the  number  of  doorways,  the  installation 
of  stronger  doors,  and  the  installation  of  a  computer-controlled  door 
locking  system  which  requires  the  use  of  a  magnetic  card  and  a  push  button 
code  for  entry.     However,  in  view  of  the  high  dollar  value  of  the  equipment, 
the  concentration  of  the  risk  area,  and  the  near  indispensabi lity  of  con- 
tinuous operation,  we  believe  that  further  improvements  are  needed  to  obtain 
a  level  of  security  commensurate  with  this  facility.     Specifically,  we  believe 
that  the  following  topics  relative  to  access  and  visibility  of  the  SCC  need 
to  be  addressed. 

—  There  are  exterior  windows  in  this  ground-level  facility. 

—  The  input /output  window  is  an  opening  to  the  computer  facility 
which  exposes  the  interior  of  the  facility  to  view  and  possible 
entry  during  8:00  A.M.  -  5:00  P.M. 

—  There  is  no  current  formal  policy  on  visitors. 

—  The  presence  of  the  facility  is  unnecessarily  indicated  by 
warning  signs  on  some  of  the  doors. 

—  The  air  conditioning  equipment  which  is  essential  to  the 
operation  of  the  facility  is  quite  vulnerable  to  vandals. 

—  An  alarm  system  to  alert  State  Security  to  intruders  during 
non-operational  hours  has  not  been  provided. 

Exterior  Windows 

The  exterior  windows  are  of  the  same  type  as  other  windows  in  the  building 
except  that  some  are  of  one-half  inch  clear  Plexiglass  and  the  remainder  are 
of  one-quarter  inch  Plexiglass.     We  believe  that  for  adequate  security,  the 
entire  exterior  perimeter  should  be  of  a  material  stronger  than  one-quarter 
inch  Plexiglass  and  be  of  substance  which  would  not  expose  the  facility  to  the 


view  of  persons  outside.     It  is  our  understanding  that  several  years  ago  SCC 
management  requested  that  the  windows  be  covered  with  brick,  but  their  request 
was  denied  by  the  Office  of  State  Property  for  aesthetic  reasons. 
Recommendations 

1.  We  recommend  that  SCC  management  resubmit  their  request  to  the 
Office  of  State  Property. 

2.  We  recommend  that  the  Office  of  State  Property  either  approve 
the  request  for  bricking  over  the  windows  or  that  they  provide 
an  alternate  means  of  accomplishing  the  intended  objective. 

Input/Output  Window 

The  input/output  window  is  a  counter  where  computer  users  come  to  submit 
jobs  or  pickup  computer  output.     It  is  open  during  normal  working  hours  and 
is  usually,  but  not  always,  attended.     The  window  affords  a  view  into  the 
computer  room/tape  library  and  could  provide  access  to  anyone  able  to  scale 
a  counter-high  partition.     The  window  is  visible  from  the  main  hallway  and 
can  be  approached  by  anyone  who  enters  the  building.     There  are  no  restric- 
tions on  entering  the  building. 

Recommendation 

We  recommend  that  the  input/output  window  be  in  a  separate 
room  with  a  locked  door  separating  the  input/output  area  from  the 
information  processing  facility,  and  that  the  input/output  room  be 
equipped  with  an  inconspicuous  lever  connected  to  an  alarm  at  the 
State  Government  Security  Office. 

Visitors 

There  are  three  primary  categories  of  visitors  to  the  SCC:     users  who 
have  a  large  quantity  of  output  to  be  picked  up,  maintenance  personnel,  and 
guests  who  are  there  to  tour  the  facility.     Users  who  have  come  to  pick  up 
computer  output  (printouts,  paychecks,  etc.)  are  usually  in  the  facility  for 
only  a  few  minutes  or  less,  and  are  admitted  and  observed  by  the  person 
attending  the  input/output  window.     Persons  who  are  there  to  tour  the 
facilities  are  routinely  accompanied  by  a  member  of  the  SCC  staff,  but 
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maintenance  personnel  are  not  always  in  the  direct  company  or  observance 


of  sec  staff  members.     They  are  admitted  to  the  facilities  by  someone  who 
recognizes  them,  but  they  are  not  assigned  an  identifying  badge  and  are 
not  asked  to  sign  a  visitors  log.     Persons  in  the  computer  room  seeing  a 
stranger  who  is  not  accompanied  must  assume  that  he  is  there  for  legitimate 


reasons.     However,  it  is  possible  that  he  may  have  climbed  in  through  the 
input/output  window  when  it  was  unattended,  or  he  might  have  walked  in 
before  the  door  closed  after  a  key-card  holder  entered. 

Since  some  routine  maintenance  is  done  when  the  center  is  not  in 


operation,  maintenance  personnel  from  two  computer  hardware  companies,  IBM 
and  STC,  were  issued  key-cards  and  lock  combinations  to  enable  them  to  enter 
the  facilities  when  no  one  is  there.     Generally  accepted  control  practices 
require  that  visitors  be  accompanied  by  a  computer  center  employee. 


Recommendations 


1.  We  recommend  that  users  not  be  admitted  to  the  computer 
room  to  pick  up  large  quantities  of  output.     Rather,  we 
recommend  that  all  output  be  placed  in  the  separate  input/ 
output  room  recommended  earlier  in  this  report  for  pickup 
by  the  users. 

2.  We  recommend  that  the  SCC  adopt  a  formal  policy  on  visitors 
which  includes  a  requirement  that  each  visitor  be  required 
to  wear  a  numbered  identification  badge  and  sign  a  visitors 
log.     The  visitors  log,   in  our  opinion,   should  include  places 
for  the  visitor's  signature,   the  date  and  time  he  was  admitted, 
the  signature  of  the  person  who  admitted  him,  the  number  of  the 
badge  assigned  to  him,  and  the  date  and  time  of  his  departure. 
The  log  should  be  regularly  reviewed  by  management. 

3.  We  recommend  that  an  SCC  employee  be  present  whenever  maintenance 
people  must  be  in  the  computer  room. 


Signs  On  Doors 

The  computer  room  is  protected  from  fire  by  an  extinguishing  system 
which  utilizes  Halon,  a  gas  which  will  extinguish  fires  without  damaging 
equipment  or  injuring  persons  who  breathe  it.  For  the  system  to  be  effective. 
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it  is  essential  that  all  doors  to  the  Halon-protected  areas  remain  closed 
at  all  times.     To  remind  conputer  room  personnel  of  this,  and  to  comply 
with  a  National  Fire  Protection  Association  regulation,   there  are  signs 
on  the  outside  of  several  computer  room  doors:     "-CAUTION-  This  door  must 
be  kept  closed  at  all  times.     Room  protected  with  Halon  1301." 

We  believe  that  the  signs  are  quite  undesirable  because  they  signal 
the  exact  location  of  the  computer  center.     Generally  accepted  control 
practices  require  that  the  location  of  computing  facilities  be  as  incon- 
spicuous as  possible. 

Recommendation 

We  recommend  that  the  Halon  warning  signs  be  removed  from 
all  exit-only  doors,  and  that  some  other  method  be  utilized  to 
remind  the  operators  of  the  necessity  for  keeping  these  doors 
c losed . 

Air  Conditioning 

The  State  Computer  Center  is  not  cooled  by  the  main  building  air  condi- 
tioning system;  rather,  it  is  cooled  by  its  own  system  which  was  designed 
to  meet  the  unique  needs  of  the  facility.     The  compressors  for  the  SCC  air 
conditioning  system  are  located  on  the  ground  a  few  feet  from  the  building. 
No  steps  were  taken  to  protect  the  compressors,  coolant  lines,  or  electrical 
wiring  from  vandals. 

The  State  Computer  Center  cannot  function  without  its  air  conditioning 
system.     Heat  generated  by  the  data  processing  equipment  would  soon  destroy 
the  equipment  if  the  equipment  were  not  shut  off.     Hence,  vandals  could 
terminate  the  data  processing  activities  without  even  entering  the  building. 
Such  damage,   in  the  estimate  of  the  Director  of  the  SCC,  may  require  as 
long  as  three  weeks  to  repair. 
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Recommendation 

We  recommend  that  the  air  conditioning  equipment  either 
be  placed  in  a  more  secure  location,  perhaps  on  the  roof,  or 
that  the  present  location  be  made  more  secure. 

Security  During  Non-Operational  Hours 

The  area  which  houses  the  State  Computer  Center  was  not  built  to  provide 
any  special  degree  of  security.     Interior  walls  separating  the  center  from 
hallways  are  no  different  from  any  other  walls  in  the  building.     Thus,  even 
with  the  sophisticated  locking  system  and  stronger  doors  that  were  recently 
installed,  and  even  with  the  additional  measures  recommended  on  earlier 
pages  of  this  report,   the  SCC  is  still  not  a  particularly  secure  facility. 
Costly  and  essential  equipment,  and  thousands  of  needed  data  files  are 
vulnerable  to  anyone  who  gains  entrance  to  the  building,   since  only  plaster- 
board panels  separate  the  facility  from  the  hallway.     On  weekends  and  on 
holidays  there  is  usually  no  one  in  the  SCC. 

Recommendation 

We  recommend  that  consideration  be  given  to  the  purchase  and 
installation  of  a  system  that  would  alert  State  Security  to  the 
presence  of  someone  in  the  facility  when  no  one  is  supposed  to  be 
there. 

Disaster  Recovery  Plan  Needed 

"  Because  of  the  State's  increasing  reliance  on  data  processing  and  because 
of  centralization  of  the  processing  function,  the  operation  of  the  State 
Computer  Center  has  become  extremely  critical  to  the  operation  of  State  govern- 
ment.    Failure  of  this  one  computing  facility  would  adversely  affect  the 
services  rendered  by  many  State  agencies. 

SCC  management  have  placed  considerable  emphasis  on  preventing  a  disaster, 
but  have  not  prepared  a  plan  of  action  for  recovering  from  a  disaster.  Certain 
decisions  have  been  made,  but  they  have  not  been  documented,  and  they  are  not 


-8- 


sufficiently  detailed. 

A  major  component  of  a  disaster  recovery  plan  is  the  use  of  copies  of 
files  stored  off-site  and,     thus,  available  in  the  event  on-site  files  are 
lost.     The  sec  does  not  store  copies  of  its  own  files  off-site  and  does  not 
offer  an  off -site  storage  service  to  users.     Rather,  a  vault  located  in  the 
computer  room  is  used  for  this  purpose.     The  vault  is  certified  by  Under- 
writers Laboratories  as  capable  of  maintaining  the  inside  temperature  below 
150  F  during  a  fire  for  a  duration  of  four  hours.     This  high  degree  of 
protection  is  specifically  intended  to  protect  magnetic  tapes  which  may 
decompose  at  temperatures  of  as  low  as  170  F;  however,  there  can  be  no 
assurance  that  at  the  moment  of  a  fire  or  explosion  the  vault  will  be 
closed.     More  significantly,  someone  in  the  computer  room  intent  on  destruc- 
tion should  not  be  given  access  to  the  only  source  of  recovery. 

Recommendation 

1.  Since  the  lack  of  disaster  recovery  plans  is  a  common  problem 
in  State  government,  we  suggested,  during  our  audit,  that  a 
task  force  be  appointed  to  resolve  the  problem.     The  Governor 
has  appointed  such  a  task  force,  and  SCC  management  are  active 
members.     We  encourage  this  task  force  to  continue  their  efforts. 

2.  We  recommend  that  the  SCC  implement  off-site  storage  for  their 
own  backup  files  and  for  those  of  user  agencies. 

More  Control  Needed  Over  Critical  Tape  Files 

Standard  control  techniques  include  physical  separation  of  the  magnetic 
tape  library  from  the  computer  room  and  assigning  responsibility  for  all  tapes 
and  all  removable  disk  packs  to  a  librarian.     In  this  type  of  arrangement  a 
librarian  signs  out  needed  tapes  to  the  computer  operators  and  records  their 
return. 

The  State  Computer  Center  does  not  have  this  kind  of  control.  Operators 
have  access  to  the  tape  racks  and  pull  tapes  as  needed.     SCC  management  contend 
that  this  is  an  acceptable  arrangement  because  of  the  tape  management  software 
in  use  in  the  center  which  enables  using  unlabeled  tapes.     The  only  indentifying 
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information  on  a  tape  is  a  six-digit  number  which  is  assigned  in  no  particular 
order.     As  a  result,  some  control  is  effected  through  secrecy  as  to  what  is  on 
the  tapes.     However,  no  steps  have  been  taken  to  provide  security  over  the 
printouts  which  provide  a  cross-listing.     Also,  a  knowledgeable  operator  could 
obtain  this  information  via  a  computer  terminal. 
Recommendation 

Although  we  concur  with  SCC  management  that  the  tape  management 
software  provides  control,  we  believe  that  the  degree  of  control  is 
inadequate  for  critical  and/or  sensitive  files.  We  therefore  recom- 
mend that  the  SCC  ask  users  to  identify  files  which  they  consider  to 
be  critical  or  sensitive  and  that  files  identified  as  such  be  stored 
in  the  vault,  accessible  only  to  shift  managers  and  the  input/output 
staff.  (If  off-site  storage  is  implemented  as  recommended  in  the 
above  section  on  disaster  recovery,  the  vault  could  be  available  for 
this  service . ) 

More  Control  Needed  Over  Billing  Codes 

The  major  control  over  unauthorized  use  of  the  computer  via  batch  jobs 
submitted  at  the  input/output  window  is  the  billing  system.     Each  job  sub- 
mitted for  processing  is  billed  to  a  user  agency  which  is  identified  by  a 
two-letter  billing  code.     The  main  purpose  is,  of  course,  billing,  but  the 
billing  system  provides  two  types  of  controls  as  a  by-product.     First,  since 
only  certain  two-letter  codes  are  acceptable,  a  preventive  control  is  pre- 
sented by  the  need  to  know  an  assigned  code.     Secondly,  if  it  can  be  assumed 
that  user  agencies  verify  that  jobs  listed  on  their  monthly  billings  were 
actiaally  submitted  by  them,  a  detective  control,  a  control  that  detects  un- 
authorized usage,  is  also  a  result  of  the  billing  process. 

Unfortunately,  the  control  over  unauthorized  usage  provided  by  the  billing 
system  has  two  flaws.     We  do  not  believe  that  it  can  be  assumed  that  users 
verify  their  bills,  and  we  know  that  there  is  no  effort  at  all  to  keep  the 
billing  codes  confidential  —  each  printout  has  on  its  first  page  in  two-inch 
high  letters  the  billing  code  to  which  the  processing  was  charged. 


-10- 


Recommendation 


Since  computer  time  is  a  valuable  asset,  we  believe  that 
adequate  control  should  be  implemented  to  ensure  that  only 
authorized  users  have  access  to  it.  Hence,  we  recommend  that 
sec  take  steps  to  ensure  that  only  legitimate  users  have 
access  to  utilization  of  the  computer.  One  possible  approach 
might  be  to  convert  to  a  four-letter  billing  code  with  two  of 
the  letters  being  non-printable  characters.  If  this  approach 
is  used,  we  also  recommend  changing  the  codes  periodically. 
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FINDINGS  AND  RECOMMENDATIONS  - 
APPLICATION  SYSTEMS  DEVELOPMENT  SECTION 


Physical  Security  Should  Be  StrenRthened 

An  essential  ingredient  in  utilizing  the  computer  as  a  tool  for  fraud 
is  knowledge  of  the  application  and  the  computer  programs  which  comprise  it. 
Such  knowledge  could  be  provided  by  documents  kept  in  and  on  desks,  tables, 
and  file  cabinets  of  the  Application  Systems  Development  Section  (ASDS). 
However,  no  effort  has  been  made  to  secure  this  documentation.     The  presence 
of  employees  provides  adequate  control  during  working  hours,  but  more  control 
is  needed  at  other  times.    At  nights  and  on  weekends  the  ASDS  areas  are 
accessible  to  anyone  who  gains  admission  to  the  building.     Computer  operators 
on  duty  at  these  times  need  only  to  cross  the  hallway  to  gain  access  to  in- 
formation which  they  clearly  should  not  have. 

Recommendations 

1.  We  recommend  that  ASDS  adopt  a  policy  requiring  that  all 
system  and  program  documentation  be  stored  in  locked  desks 
or  cabinets  during  non-business  hours. 

2.  We  recommend  that  the  ASDS  areas  be  locked  when  no  one  is 
there . 

Documentation  Should  Be  Improved 

We  reviewed  the  documentation  for  the  Central  Payroll  Application  and 
found  that  there  was  no  narrative  description  or  comprehensive  flowchart  of 
the  system,   the  user  procedure  manual  was  not  up-to-date,  data  entry  procedures 
were  not  documented,  and  testing  procedures  were  not  described.     A  brief 
review  of  the  documentation  of  other  systems  developed  and  maintained  by  ASDS 
revealed  that  the  quantity  and  quality  of  documentation  varies  greatly  between 
applications . 


The  first  step  in  assuring  adequate  documentation  is  the  adoption  of 
standards.     ASDS  has  adopted  the  standards  issued  by  the  National  Bureau 
of  Standards,  but  they  did  so  after  the  payroll  system  was  developed. 
The  ASDS  did  not  attempt  to  bring  older  systems  up  to  the  level  of  docu- 
mentation required  by  the  standards. 

Recommendation 

We  regard  documentation  as  a  primary  control  over  data 
processing.     For  this  reason,  we  strongly  recommend  that  the 
documentation  standards  be  followed  in  the  development  of  new 
applications  and  in  the  subsequent  maintenance  of  those  appli- 
cations.    Regarding  existing  programs  and  systems,  we  recommend 
creation  of  documentation  to  bring  them  up  to  the  requirements 
of  the  standards,  or  to  specified  minimum  standards  as  proposed 
by  the  ASDS  manager.     If  different  standards  for  existing  systems 
and  programs  are  to  be  used,  they  should  be  documented  as  an 
addendum  to  the  adopted  standards. 

Control  Needed  Over  Loss  of  Documentation 

Considerable  cost  and  inconvenience  would  result  from  the  loss  of  docu- 
mentation of  programs  and  systems  maintained  by  the  ASDS.   However,  no  precautions 
have  been  taken  to  provide  security  over  this  documentation  nor  to  provide 
for  storage  of  copies  at  an  off-site  location. 

Recommendation 

In  an  above  section,  we  discussed  the  need  for  physical 
security  as  a  fraud  prevention  control.     The  recommendation 
made  in  that  section  should  provide  the  security  needed  to 
protect  against  loss  as  well.     Regarding  storage  of  back-up 
copies  off -site,  we  recommend  that  the  ASDS  and  the  documen- 
tation maintained  by  them  not  be  overlooked  in  the  disaster 
recovery  planning  which  is  currently  being  done. 

Control  Could  Be  Strengthened  By  Separating  Development  and  Maintenance  Functions 

Currently  the  team  which  participates  in  the  system  development  function 
maintains  the  programs  after  the  system  has  been  accepted  by  the  user.  An 
alternative  procedure  would  be  to  have  a  program  maintenance  team  assume 
responsibility  once  the  development  team  has  completed  its  work.     Such  a 
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separation  of  duties  would  provide  stronger  control,  and  if  the  maintenance 
team  had  to  formally  approve  and  accept  the  new  system,  there  would  be 
greater  assurance  of  adequate  testing,  plus  documentation  would  have  to  be 
complete . 

Many  software  development  organizations  are  not  large  enough  to  separate 
duties  to  this  extent.  However,  the  ASDS,  as  a  centralized  software  develop- 
ment group,  is  large  enough  to  have  this  kind  of  an  organizational  structure. 

Recommendation 

We  recommend  that  the  maintenance  and  development  functions 
be  separated.     This  could  be  accomplished  by  the  creation  of  teams 
dedicated  to  either  maintenance  or  development.     It  could  also  be 
accomplished  by  establishing  a  policy  whereby  each  team  remains  as 
a  dual  function  team,  but  maintains  only  systems  which  were  developed 
by  another  team. 

Program  Maintenance  Duties  Should  Be  Rotated 

The  ASDS  does  not  rotate  programmers  in  the  program  maintenance  function. 
For  example,  one  programmer  participated  in  the  maintenance  of  the  programs 
related  to  Central  Payroll  for  approximately  thirteen  years. 

In  manual  accounting  systems,  a  standard  control  to  reduce  the  possibility 
of  employee  fraud  is  occasional  rotation  of  duties.     This  same  control  could 
be  used  as  a  method  of  reducing  the  potential  for  fraud  by  computer  programmers. 

Recommendation 

We  recommend  that  the  ASDS  occasionally,  at  irregular  intervals, 
rotate  program  maintenance  duties. 
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North  Carolina  _ 
Department  of  Administration 


1 16  West  Jones  Sueei  Raleigh  27603 

James  B.  Hunt.  Jr..  Governor  •  Office  of  State  Management  Systems 

Joseph  W.  Grimsley.  Secretary  R-  E-  Johns.  State  Management  Systems  Officer 


(919)  733-7634 


October  4,  1979 


Mr.  Henry  Bridges 
State  Auditor 

Department  of  the  State  Auditor 
116  West  Jones  Street 
Raleigh,  North  Carolina 

Dear  Mr.  Bridges: 

I  appreciate  the  opportunity  of  conimenting  on  the  audit  of  the  State 
Computer  Center  and  Applications  Development  Sections  of  this  division.  I 
have  discussed  with  the  auditor  in  charge  and  have  furnished  him  with  specific 
comments  from  each  of  the  section  managers  relating  to  security  specifics  in 
the  audit  report. 

In  summary  response,  I  would  like  to  say  that  we  very  much  appreciate  the 
manner  in  which  the  audit  was  conducted  and  the  objectivity  which  we  consider 
of  value  to  this  organization.     Many  of  the  security  concerns  expressed  by 
the  auditor  have  been  concerns  of  this  organization  for  some  time.     We  do  not 
take  exception  to  the  recommendations  for  improving  security  in  the  Computer 
Center  area  and  indeed  appreciate  the  position  of  your  office  supporting  our 
state-wide  interest.     From  the  SCC  standpoint,  we  must  realistically  examine 
our  financial  ability  to  immediately  accomplish  the  recommendations  in  question. 
We  do  assure  you  of  our  intention  to  explore  each  and  recommend  to  our  management 
the  accomplishment  of  those  within  our  means.     In  all  instances  of  security, 
there  is  the  question  of  "Can  you  afford  to  adopt  the  highly  secure  procedures?", 
or  to  ask  the  question  in  another  manner,   "Can  you  afford  not  to?" 

With  your  permission,  we  would  like  to  continue  to  work  with  your  EDP 
audit  group,   calling  upon  them  for  advice  and  counsel  as  we  work  to  meet  the 
recommendations  of  the  audit  report. 


Sincerely , 


REJ:hhs 

cc:     Mr.  Arnold  Zogry,  Assistant  Secretary 
Department  of  Administration 
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